Re: Information Security?

From: Mike Linksvayer (ml@justintime.com)
Date: Mon Nov 16 1998 - 13:27:22 MST


Michael Lorrey wrote:
> I figured out the other day how WS_FTP encrypts its passwords in its INI
> file, which is rather weak and a major weakness for anyone using this FTP
> client to transfer files. Essentially, the encryption works like this: each
> letter of the password is converted to its hexadecimal value. Then one hex
> digit is added to the letters hex value based on its position in the
> password, starting with 0 for the letter in the first position.
>
> So, while you may only FTP encrypted files to an FTP site, by using a weak
> password encryption like this a hacker could easily sniff out your password
> and then use the FTP site with impunity in YOUR name.

ftp passwords are sent as cleartext between the client and server,
so ws_ftp's .ini settings obfuscation does nothing to help or hinder
someone who wants your password, unless that someone has access to
your ws_ftp .ini file.

There is an rfc out concerning secure ftp, but it isn't widely
implemented yet. See <http://www.mit.edu/people/marc/ftpsec/ftpsec.html>.

--
See From: and Organization: above.  Call +1 415 553 6408 for assistance.


This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 14:49:47 MST